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C/2 , Abstract. We cryptanalyse here two variants of the McEliece cryptosystem 

based on quasi-cyclic codes. Both aim at reducing the key size by restrict- 
ing the public and secret generator matrices to be in quasi-cyclic form. The 

£/■) . first variant considers subcodes of a primitive BCH code. The aforementioned 

^ ' constraint on the public and secret keys implies to choose very structured per- 

0^ , mutations. We prove that this variant is not secure by producing many linear 

^^ . equations that the entries of the secret permutation matrix have to satisfy 

by using the fact that the secret code is a subcode of a known BCH code. 
This attack has been implemented and in all experiments we have performed 

■^- ■ the solution space of the linear system was of dimension one and revealed the 

^^ ' permutation matrix. 

The other variant uses quasi-cyclic low density parity-check codes. This 
scheme was devised to be immune against general attacks working for McEliece 
type cryptosystems based on low density parity-check codes by choosing in the 
McEliece scheme more general one-to-one mappings than permutation matri- 
ces. We suggest here a structural attack exploiting the quasi-cyclic structure 
*~i , of the code and a certain weakness in the choice of the linear transforma- 

tions that hide the generator matrix of the code. This cryptanalysis adopts 
a polynomial-oriented approach and basically consists in searching for two 
polynomials of low weight such that their product is a public polynomial. 
Our analysis shows that with high probability a parity-check matrix of a 
punctured version of the secret code can be recovered with time complexity 
O (n 3 ) where n is the length of the considered code. The complete recon- 
struction of the secret parity-check matrix of the quasi-cyclic low density 
parity-check codes requires the search of codewords of low weight which can 
be done with about 2 37 operations for the specific parameters proposed. 

Keywords. McEliece cryptosystem, quasi-cyclic codes, BCH codes, LDPC 
codes, cryptanalysis. 
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1. Introduction 

Since the introduction of the McEliece public-key cryptosystem [17], several at- 
tempts have been made to propose alternatives to the classical Goppa codes. The 
main motivation is to drastically reduce the size of the public and private keys, 
which is of real concern for any concrete deployment. For instance, the parameters 
suggested in the original cryptosystem, and now outdated, are about 500 Kbits 
for the public key and 300 Kbits for the private key. The reason of such a large 
amount comes from the fact that McEliece proposed to use as public key a gen- 
erator matrix of a linear block code. He suggested to take a code that admits an 
efficient decoding algorithm capable to correct up to a certain number of errors, 
and then to hide its structure by applying two secret linear transformations: a 
scrambling transformation that sends the chosen generator matrix to another one, 
and a permutation matrix that reorders the coordinates. The resulting matrix is 
then the public key. The private key consists in the two secret transformations and 
the decoding algorithm. 

Niederreiter also invented [H] a code-based asymmetric cryptosystem by 
choosing to describe codes through a parity-check matrix. These two systems are 
equivalent in terms of security [16]. Their security relies on two difficult problems: 
the One-Wayness against Chosen-Plaintext Attack (OW-CPA) thanks to the diffi- 
culty of decoding large random linear block codes, and the difficulty of guessing the 
decoding algorithm from a hidden generator matrix. It is worthwhile mentioning 
that the OW-CPA character is well established as long as appropriate parameters 
are taken. This is due to two facts: first it is proven in [2] that decoding a ran- 
dom linear code is NP-Hard, and second the best known algorithms [HI 13] and [201 
Volume I, Chapter 7] operate exponentially with the length n of the underlying 
code (see [TO] for more details). However, the second criteria is not always verified 
by any class of codes that has a decoding algorithm. For instance, Sidel'nikov and 
Shestakov proved in [22] that the structure of Generalised Reed-Solomon codes 
of length n can be recovered in O (n 3 ) (See for instance pH page 39]). Sendrier 
proved [37] that the permutation transformation can be extracted for concatenated 
codes. Minder and Shokrollahi presented in [T5] a structural attack that creates a 
private key against a cryptosystem based on Reed-Muller codes [21] . 

However, despite these attacks on these variants of the McEliece cryptosys- 
tem, the original scheme still remains resistant to any structural attack. Addition- 
ally, the McEliece system and its Niederreiter homologue display better encryption 
and decryption complexity than any other competing asymmetric schemes like 
RSA. Unfortunately, they suffer from the same drawback namely, they need very 
large key sizes as previously pointed out. It is therefore crucial to find a method 
to reduce the representation of a linear code as well as the matrices of the linear 
transformations. 

A possible solution is to take very sparse matrices. This idea has been applied 
in [5] which examined the implications of using Low Density Parity-Check (LDPC) 
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codes. The authors showed that taking sparse matrices for the linear transforma- 
tions is not a secure solution. Indeed, it is possible to recover the secret code from 
the public parity-check matrix. Another idea due to 25j is to take subcodes of 
an optimal code such as Generalized Reed-Solomon codes in order to decrease the 
code rate. But a great care has to be taken in the choice of parameters because in 
(26) it has been proved that some parameters are not secure. A recent trend ap- 
peared in code-based public key cryptosystems that tries to use quasi-cyclic codes 
[TTl [TJ [T3J [TJ1 [5] . This particular family of codes offers the advantage of having 
a very simple and compact description. Many codewords can simply be obtained 
by considering cyclic shifts of a sole codeword. Exploiting this fact leads to much 
smaller public and private keys. Currently there exist two public-key cryptosys- 
tems based upon quasi-cyclic codes. The first proposal [UJ uses subcodes of a 
primitive BCH cyclic code. The size of the public key for this cryptosystem is 
about 20Kbits. The other one pQ tries to combine these two positive aspects by 
requiring quasi-cyclic LDPC codes. It also avoids trivial attacks against McEliece 
type cryptosystems based on LDPC codes by using in the secret key a more gen- 
eral kind of invertible matrix instead of a permutation matrix. For this particular 
system, the authors propose a public key size that is about 48Kbits. 

In this work, we cryptanalyse these two cryptosystems. We show that the 
cryptosystem of [TT] is not secure because it is possible to recover the secret per- 
mutation that is supposed to hide the structure of the secret quasi-cyclic code. We 
prove it by producing many linear equations that the entries of the secret permu- 
tation matrix have to satisfy by using the fact that the secret code is a subcode of 
a known BCH code. This attack has been implemented and in all experiments we 
have performed the solution space of the linear system was of dimension one and 
revealed the permutation matrix. 

In a second part, we also suggest a structural attack of [JJ exploiting the 
quasi-cyclic structure of the code and a certain weakness in the choice of the lin- 
ear transformations that hide the generator matrix of the code. This cryptanalysis 
adopts a polynomial-oriented approach and basically consists in searching for two 
polynomials of low weight such that their product is a public polynomial. Our 
analysis shows that with high probability a parity-check matrix of a punctured 
version of the secret code can be recovered with time complexity O (n 3 ) where n 
is the length of the considered code. An implementation shows that this recovery 
can be done in about 140 seconds on a PC. The final step that consists in com- 
pletely reconstructing the original parity-check matrix of the secret quasi-cyclic 
low density parity-check code requires the search for low weight codewords which 
can be done with about 2 37 operations for the specific parameters proposed. 

The rest of this paper is organised as follows. In Section[2 we recall definitions 
and basic properties of circulant matrices. Section [3] gives a description of how to 
totally break the McEliece variant proposed in [TT] . In Section @] we propose a 
method to totally cryptanalyse the scheme of [JJ. Section [5] concludes the paper. 
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2. Notation and Definitions 

2.1. Circulant Matrices 

Let F2 be the finite field with two elements and denote by F%[x] the set of uni- 
variate polynomials with coefficients in F2. Any p-bit vector v = (vq, . . . , u p — 1) is 

identified to the polynomial v(x) = v n -\ Vp-xX 9 ' 1 . The support of a vector (or 

a polynomial) v is the set of positions i such that Vi is non-zero and the weight 
wt(i?) of v is the cardinality of its support. The intersection polynomial for any 
two polynomials u(x) and v(x) is u(x) * v(x) = J2 u i v i x% ■ 

A binary circulant matrix M is a p x p matrix obtained by cyclically right 
shifting the first row: 

/ m mi • • • m p _i \ 

M p _i toq ■ • • m„-2 



M = 



(1) 



\ 771 1 TO 2 ' ' ' TO / 

Thus any circulant matrix M is completely described by only its first row m = 
(mo, ■ • ■ , TOp_i). Note that a circulant matrix is also obtained by cyclically down 
shifting its first column. We shall see that the classical matrix operations of addi- 
tion and multiplication preserve the circulant structure of matrices. It is possible 
to characterise the i-th row of a circulant matrix M as the polynomial: 

x l ■ m(x) mod (x p — 1). 

If one looks at the product b x M of a circulant matrix M with a binary vector 
b = (b , . . . , 6p_i) then it exactly corresponds to the p-bit vector represented by 
the polynomial b(x) ■ m(x) mod (x p — 1). This property naturally extends to the 
product of two p x p circulant matrices M and N. Indeed, the first row of M x N 
is exactly m(x) ■ n(x) mod (x p — 1) and the i-th row of M x N is represented by 
the polynomial: 

I x l ■ m(x) J • n(x) mod (x p — 1) = x % ■ ( m(x) ■ n(x) J mod (x p — 1). 
We have therefore the following result. 

Proposition 1. Let € p be the set of binary pxp circulant matrices, then there exists 
an isomorphism between the rings I £ p , +, x J and I ¥2[x]/(x p — 1), +,•)■' 

(£ p ,+,x) ~(F 2 [x]/(x p -l),+,-) 

Remark 1. The first column of a circulant matrix M defined by m(x) corresponds 
to the polynomial m*(x) = x p ■ m(-) mod (x p — 1). 

Proposition Q] can be used to provide a simple characterisation of invertiblc 
matrices of circulant matrices: 

Proposition 2. A p x p circulant matrix M is invertible if and only if m(x) is 
prime with x p — 1. 
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Proof. One has only to prove that the invert of a circulant matrix M defined by a 
polynomial ra(x) of F2[x]/(x p — 1) is necessarily a circulant matrix. Assume that 
there exists N such that N x M — M x N — I p with I p being the p x p identity 
matrix. Let n = (no, . . . , n p _i) be the first row of N. We have previously seen 
that the product n x M can be seen as the polynomial n(x) ■ m(x) mod (x p — 1). 
This latter polynomial is equal to 1 by assumption. Consequently, for any i such 

that < i < p — lwe also have (x l ■ n(x)\ ■ m(x) — x l mod (x p — 1) which 

proves that the circulant matrix defined by n(x) is the invert of M. Therefore N 
is circulant. D 

A matrix G of size k x n is p-block circulant with k — k$p and n — n$p where 
fco and no are positive integers if there exist p x p circulant matrices Gij G € p 
such that: 

(Gi.i • • • Gi,n 
: : - 

Gk ,l ••' Gk„.n 

It is straightforward to see that the set of block circulant matrices is stable by 
matrix addition and matrix multiplication. It is therefore natural to establish an 
identification between a block circulant matrix G with a polynomial fco x no matrix 
G? (x) with entries in F2 [x] j{x v — 1) by means of the mapping that sends each block 
Gij to the polynomial g i Ax) defining it. 

Proposition 3. Let *8? _ be the set of p-block circulant matrices of size kn x n . 
Let R p = F2[x]/(x p — 1) and define by 3Jlfc . ri0 (i? p ) the set of ko x no matri- 
ces with coefficients in R. p . There exists a ring isomorphism between *B^ n and 

K ,a a ~ m ,n (Rp) 

G ^> G(x). 

In particular any p-block circulant matrix G is invertible if and only if 
det(G)(x) is prime with x p — 1 and its inverse is also a p-block circulant matrix. 

2.2. Cyclic and Quasi-Cyclic Codes 

A (binary) linear code ^ of length n and dimension k is a /c-dimcnsional vector 
subspace of W%. The elements of a code are called codewords. A generator matrix 
G of *€ is a k! x n matrix with k' > k whose rows generate % '. A parity-check 
matrix H of *€ is an r x n matrix with r > n — k such that for any codeword eg 1 ? 
we have: 

H x c T = 0. 

It is well-known that if a generator matrix of ^ is of the form (I\A) where / is 
the identity matrix then (A T |/) is a parity-check matrix for ^ . Such a generator 
matrix is said to be in reduced echelon form. A code c £' is said to be permutation 
equivalent to ^ if there exists a permutation of the symmetric group of order n that 
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reorders the coordinates of codewords of ( €' into codewords of f . It is convenient 
to consider equivalent codes as the same code. 

A cyclic code ¥? of length n is an ideal of the ring F 2 [x]/(x" — 1). Such a 
code is characterised by a unique polynomial g{x) divisor of (x n — 1). Let r be the 
degree of g[x). Any codeword c(x) is obtained as a product in F 2 [x] of the form: 

c(x) — m(x) ■ g(x) 

where m(x) is a polynomial of F 2 [a;] of degree n — 1 — r. ff is a linear code of 
dimension k = n — r. The polynomial g{x) is called the generator polynomial of 
the cyclic code f and we shall write ^ =< g(x) >. 

A code f is quasi-cyclic of index p if there exists a generator matrix G that 
is p-block circulant. We assume that all the Gij's are square matrices of size pxp 
and therefore n = n$p and k = k$p. Cyclic codes of length n are thus quasi-cyclic 
codes of index n where a generator matrix is a circulant matrix associated to its 
generator polynomial. 

A useful method developed in [11] for obtaining quasi-cyclic codes of length 
n — pn and index p is to consider a cyclic code f generated by a polynomial 
g(x) and construct the subcode 5„ (c) spanned by a codeword c{x) and its p — 1 
shifts modulo (x n — 1) of no bits x n ° ■ c(x), . . . , x*^ -1 )™ • c(x). However note that 
S no (c) does not admit a p-block circulant generator matrix. Actually, one has to 
consider the equivalent code of 'rf obtained with the permutation n that maps any 
ano + b to bp + a with 1 < a < p — 1 and < b < no — 1. It means that up 
to a permutation any codeword c(x) of a cyclic code %? can be seen as a vector 
c = (co , • ■ • , c no _ i ) where each Ci belongs to Fj ~ F 2 [x] / (x p — 1 ) and such that the 
vector c' = (c , . . . , c' ng _ 1 ) with c'j(x) = x ■ Cj(x) mod (x p — 1) is also a codeword 
oi S no (c). 



3. A McEliece Cryptosystem Based on Subcodes of a BCH Code 

3.1. Description 

Let %'q be a cyclic code of length n = pn$ and let k be the dimension of c ^o . Assume 
that %?o admits an k! x n generator matrix with k' > k and such that k! = pko. 
For simplicity, we set k' = k. Let c%(x), c 2 (x),. . . ,Ck —i(x) be random codewords 
of ^o an d consider the linear code 'if defined as: 

<€ = 5 no (ci) + • • • +5„ (c fco _i). 

We assume that ^ is of dimension k — p = p(k^ — 1). Recall from Section 12.21 
that up to a permutation any n-bit vector Ci(x) with 1 < i < ko — 1 can be seen 
as a vector (cj , ■ ■ ■ , c i „ _ 1 ) where each c t j can also be seen as an element of 
F 2 [x]/(x p — 1). Thus f is a quasi-cyclic code of index p whose generator matrix 
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G(x) in p-block circulant form is: 

/ ci,i(.t) ••• ci.no (a:) 
G(x) = : : 

V C &0 _i,i(x) •■• Cfeo-l.no (*) 

The variant of the McEliece cryptosystem proposed in 11 starts from a 
secret subcode c € of dimension p(k — 1) of a primitive BCH code ^o obtained 
by the method explained above. A secret permutation tt of the symmetric group 
of order no hides the structure of ^ while keeping its quasi-cyclic structure by 
publicly making available a generator matrix G 1T (x) defined by: 

(ci, w (i)(x) ■•• Ci >7r („ )(a;) 
; i 

Ck -l,n(l)(x) ■■■ C Ao _l )W („ )(») 

The cyclic code ^o given in [TT] is a primitive BCH of length 2 m — 1 and dimen- 
sion n — tm where t is a positive integer. Two sets of parameters are proposed 
respectively corresponding to 2 100 and 2 80 security levels. 

• Parameters A: m — 12, t — 26, p — 91, no — 45, and fco = 43. 

• Parameters B: m — 11, t = 31, p — 89, no = 23 and fco = 21. 

Note that we always have p > n . This property will be useful for cryptanalyzing 
the cryptosystem. 

3.2. Structural Cryptanalysis 

We describe a method that recovers the secret permutation tt of the cryptosystem 
of [TTJ and thus reveals the secret key of any user. It exploits three facts: 

1. The code ^o admits a binary {n — k) x n parity check matrix Ho which 
can be assumed to be known. There are only a few different primitive BCH 
codes for a given parameter set (re, m, t) and we can try all of them. This 
is a consequence of the fact that the number of such codes is clearly upper- 
bounded by the number of primitive polynomials of degree m. For instance 
for the parameter set B, this number is equal to 176. 

2. Since ^ is a subcode of ^ci; any re-bit codeword c of f must satisfy the 
equation: 

H xc T = 0. (2) 

3. Permuting through a permutation tt the columns of a polynomial generator 
matrix G{x) of %? can also be translated into a matrix product by the asso- 
ciated no x no permutation matrix II of tt. Note that II can also be seen as 
a polynomial matrix Tl(x) e Q3^ o n where (resp. 1) entry corresponds to 
(resp. 1) constant polynomial so that we have: 

G*(x) = G(x) x n(a:). (3) 
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Note that Equation ([3]) can be rewritten as an equality between binary p- 
block circulant matrices: 

G"=Gxn, (4) 

where G* is the [k — p) x n public generator matrix and II = II ® I p with I p 
being the px p identity matrix. Finding II actually amounts to solve a linear 
system of Uq unknowns representing the entries of II such that: 

H Q x (G* x IT 1 ) 7 = 0. (5) 

In other words, each row of the public matrix G* after being permuted by 
II -1 must satisfy Equation @. This is a linear system since II -1 may be 
rewritten as II - ®I p . This means that each row of G* provides (n— k) binary 
linear equations verified by II -1 . Thus Equation ([5]) gives a total number of 
(fc — p)(n — k) linear equations that must be satisfied by rig unknowns. 
The cryptanalysis of [TTJ amounts to solve an over-constrained linear system consti- 
tuted of p 2 (ko — l)(no — k ) equations and rig unknowns since as we have remarked 
that p > jiq. For instance, Parameters B give 529 unknowns that should satisfy 
316,840 equations. As for Parameters A we obtain 2,025 unknowns that satisfy 
695, 604 equations. Many of these equations are obviously linearly dependent. The 
success of this method heavily depends on the size of the solution vector space. 
An implementation in Magma software actually always gave in both cases a vector 
space of dimension one. This revealed the secret permutation. 

4. A Cryptosystem Based on Quasi-Cyclic LDPC Codes 

4.1. Description 

LDPC codes are linear codes defined by sparse binary parity-check matrices. We 
assume as in [TJ that n = pno and k = p(rig — 1), and we consider a parity-check 
matrix H of the following form: 

H=(H 1 ■■■ H no ) (6) 

where each matrix Hj is a sparse circulant matrix of size p x p. Without loss of 
generality, H no is chosen to have full rank. Each column of H has a fixed weight d v 
which is very small compared to the length n. We also assume that one has a good 
approximation of the number t of correctable errors through iterative decoding of 
the code defined by H. 

The quasi-cyclic LDPC cryptosystem proposed in [1] takes two invertible p- 
block circulant matrices S and Q of size k x k and n x n respectively. The matrix 
S (resp. Q) is chosen such that the weight of each row and each column is s (resp. 
m) . The private key consists of the parity-check matrix H and the matrices S and 
Q. In order to produce the public key, one has to compute a generator matrix 
G" in reduced echelon form and make public the matrix G = S^ 1 x G x Q _1 . 
The plaintext space is the set F2 and the ciphertext space is F£ . If one wishes to 
encrypt a message sgFj, one has to randomly choose a n-bit vector e of weight 



Cryptanalysis of McEliece Cryptosystems Based on Quasi-Cyclic Codes 9 

t' < t/m and compute c = x x G + e. The decryption step consists in iteratively 
decoding c x Q = x x S^ 1 xG' + exQto output z = xx S^ 1 and then computing 
x = z x S. The crucial point that makes this cryptosystem valid is that exQis 
a correctable error because its weight is less than or equal to t'm. 

4.2. Some Remarks on the Choice of the Parameters 

The authors suggest to take a matrix Q in diagonal form. They also suggest the 
following values: p = 4032, n = 4, d v = 13 , m = 7 and t = 190 (*' = 27). Finally, 
each block circulant matrix of S has a column/row weight equals to m so as to 
have s = m(no — 1). Unfortunately, for this specific constraint, there is a flaw in 
this choice because the matrix S is not invertible. This follows from the fact that 
in this case x — 1 always divides det(5>)(a;) which is therefore not coprime with 
x p — 1 and this implies that S(x) is not invertible. This can be proved by using 
the following arguments. 

Lemma 1. Let S(x) — (sij(x)) in 9Jl no _i ]no _i(i? p ) and define the binary matrix 
S = (Sij) by §ij — wt(s.ij) mod 2. We have then: 

det(S) = wt(det(S)) mod 2. 

Proof. This comes from the fact that wt(it + v) = wt(tt) + wt(f) — 2wt(ii * v) for 
any u(x) and v(x) in F2[x] which implies that: 

wt(w + v) = wt(u) + wt(u) mod 2 
wt(u • v) = wt(ti) • wt(u) mod 2. 

□ 

Proposition 4. For any S(x) in 2t3,3(-R p ) smc/i i/iai each Sjj is of weight m then 
x — 1 divides det(S)(x). 

Proof. By using the same notation as in the previous lemma we know that det(S') 
is equal to zero since S is the all one matrix. From the previous lemma it follows 
that det(S)(x) has a support of even weight. This implies that x — 1 divides 
det(S){x). \3 

In order to avoid this situation we introduce as few polynomials of weight 
different from rainS such that det(5) = 1. A possible choice is the following one. 
First we choose a nonsingular S equal to 

. /I 1 1 

5=1 1 

\ 1 1 

When Sij = 1 we choose the corresponding entry sy (x) to be of weight m and if 
Sij = we choose the corresponding entry Sij(x) to be of weight m — 1. 

It should also be mentioned that a decoding attack searching for a word of 
weight less than t = 27 in a code of length n — 16128 and dimension k = 12096 
as proposed by using the algorithm given in jS] has a work factor of about 2 785 . 
Note that this work factor may even be decreased with the algorithm of [7] . 
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4.3. Structural Attack 

4.3.1. Preliminaries. The goal of this attack is to recover the secret code ¥? defined 
by the parity-check matrix H given in Equation ([B|l. We know that S and Q are 
equivalently defined by polynomials Sjj(x) and q i j(x) respectively. Q is chosen to 
be in diagonal form, that is to say q^ (%) = if i ^ j. For the sake of simplicity, we 
set q^x) = q ii (x). Moreover the polynomials q^x) are invertible modulo x p — 1 
since Q is invertible. It is also straightforward to remark that the secret generator 
matrix G is equal to: 



G' = i f 



(H^H x y 



( ff n -ffno-l. 



T 



In others words, if we denote by G<k the matrix obtained by taking the k first 
columns of G then we have: 

( Qi 1 o ••• o \ 

G< k = S- 1 x ° '" '■ : 

: '■• '■■ 

V • • • Q;^ ) 

This implies that G<J, is a p-block circulant matrix defined by polynomials g^ Ax) 
that satisfies the following equations: 

9i,j( x ) = Qi( x ) -8i,j(x) mod(a; p -l). (7) 

Note that the weight of g t Ax) is at most m 2 . Actually, due the fact that the 
secret polynomials have very low weights, we shall see that the support of g i Ax) 
is exactly m 2 with a good probability. For the sake of simplicity, we set q$(x) = 
x ei +■ ■ ■ +x Cm and Si t j(x) — x £l + ■ ■ ■ +x im with < e a < p— 1 and < £ a < p— 1 
for any 1 < a < m. We fix qAjc) and we assume that the monomials x la of Sij(x) 
are independently and uniformly chosen. We wish to estimate the probability that 
the support of g i Ax) contains the support of at least one shift x a ■ q i {x) 1 and the 
probability that the weight of g t Ax) is exactly m 2 . 

Lemma 2. Let £i,...,£ w be w different integers such that < £ a < p — 1 for 
1 < a < w. For any random integer < £ < p — 1 such that £ is different from 
£i, . . . Aw, we have: 

Pr{(x^ +■■■+ x 1 -) ■ Ql (x) * x e ■ qi (x) * 0} < W m(m ~ 1} 

p — w 

Proof. Set first r{x) — (x £l + • • • + x tm ) ■ q^x). By the union bound we have: 

w 

Pr {r(x) *x e ■ q z (x) + 0} < ^ Pr {aA ■ q t (x) * x l ■ q^x) ± 0} 
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The probability Pr {x ia • q^x) * x ■ 9j(x) ^ 0} is at most the fraction of integers 
I different from £\ , . . . , £ w such that there exist 1 < b < m and 1 < c < to with: 

(■a + £b — (■ + e c mod p. 

Thus, this fraction is given by the ratio of the number of pairs (et,, e c ) with b =/= c 
to the number of possible values for £ which is exactly m(m — l)/(p — w). □ 

Proposition 5. The probability Pr{x e ■ q^x) C g { ,(jc)} for £ in {£i, . . . ,£ m } that 
the support of g i Ax) contains the support of x 1 ■ q { {x) is lower-bounded by: 

Pr{xt ■ qi {x) c g h] (x)} >(l- mi f^ ) -) m ~ 1 ■ 

Proof. This inequality is obtained by taking w = 1 in Lemma [5] and by the inde- 
pendence of the choice of the (to — 1) other monomials of Sij(x). □ 

Proposition 6. The probability q that g t Ax) is exactly of weight m 2 is lower- 
bounded by: 

to(to — 1) 



q> I] [l-w 



p — w 

w—1 v 

Proof. For any 2 < w < to, let E w denote the event that 

E w : (a/ 1 +•■• +x e "'- 1 )-q t (x)*x^ ■ q^x) = 

when each monomial x a is uniformly and independently chosen. We also set E\ 
as the whole universe. Then we have: 

q> Pr {E 2 n--- C\E m } 

Using Bayes' rule we also have 

n i 

Pr{E 2 n--- nE m }= 11 Pr{E w \E w ^n--- r\Ei}. 

w—1 

But by Lemma|we know that Pr {E w \E w _i D ■ ■ • fl E x } > (l - w ■ "'^ m ~ 1) ] . D 

4.3.2. Different Strategies. 

First Strategy. We have seen in Lemma [5] that the support of g i Ax) contains 
with very high probability the support of at leascl a shifted version of q^x) since 
for the parameters given in p], we obtain Pr{x £ • q t (x) C g i j(x)} > 0.94. One 
possible strategy to recover the polynomial q^x) consists in enumerating TO-tuples 
U\, . . . , u m that belong in the support of g i Ax) in order to form u{x) = ^ a x Ua 
such that u^ 1 (x) ■g i ■/ (x) is of weight m for 1 < f < no — 1. The cost of this attack 

is O ( (^ ) • p 2 J which corresponds to 2 503 operations for the specific parameters 
proposed. 



1 Actually, the support of g i Ax) contains with good probability all the supports of x a ■ qAx) 
with 1 < a < m since q > 0.79 for the proposed parameters. 
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Second Strategy. We present another strategy that can be used to recover secret 
matrices S and thus matrices Qi, . . . , Q no -\. This strategy requires to search for 
codewords of very low weight in a linear code. The most efficient algorithm that 
accomplishes this task is the algorithm of [3] which improves upon Stern's algo- 
rithm [23j . However in order to derive a simple bound on the time complexity, we 
consider this second algorithm as in pQ. The work factor H, n ,k,w of Stern's algo- 
rithm to find A w codewords of weight w in a code of length n and dimension k 
satisfies £lk,n,w > a p wnere (flS^) are two parameters and N is the number of 
binary operations required for each iteration 



N = (n- kf/2 + k(n - kf + 2g£ 



fc/2 



/fc/2\ 

+ 2g(n-k) K 9 ' 



9 J V 

P w represents the probability of finding a given codeword of weight w 



(8) 



p 

-t it 



)( fe n /2-J(V)( 



i— fc/2— w+g\ 
fc/2- S ) 



r 



-fc— w+2g\ 



(fc/2) 



(n-k/2\ 
\ fc/2 ) 



( n ~ 



Recall that G <k is specified by polynomials g i Ax). Let dij(x) be the polynomial 
9i i( x ) " 9ii( x ) mod (x p — 1) and consider the code Si defined by the following 
generator matrix: 

Ei = { I n A;. 2 • • • D 



1:2 



i,rio — 1 



) 



where as usual the circulant matrix D^j is characterised by the polynomial di y j(x). 
Then S% contains at least p codewords of low weight (no — l)m — 21 since 



S. 



i.i 



Ei — ( Si,i Si : 2 



S, 



It is therefore possible to recover matrices <Si,i, . . . , <Si,« D — 1 with a complexity of 
2 32 operations by applying Stern's algorithm with (g,£) — (3,43) in order to find 
a codeword of weight 21 in a code of dimension p and length (n — \)p = 12096. 



4.3.3. Extraction of the Secret Code. After recovering S, Qi, . . . , Q no -i, 
therefore able to compute the following generator matrix G defined by: 



one is 



G = G' x 



/ h 



\ 











\ 



/ 



Ai 



A no -\ 



where for 1 < i < n — 1, we set Ai = {H n ^ x Hi) T x Q n }. Recall that matrices 
Hi, ... , H no and Q n „ are still unknown. However, one can easily check that for any 



-1\T 



Hj x iJ. 1 whenever Hj is invertible. 



different i and j, we also have (A; x A, ) 

Thus, if we set Bjj = (Ai x A ^ 1 ) T then for a fixed 1 < i < n Q — 1 and for any 
different integers j and j', we have that Hj x Bij = Hy x Biji = Hi. Consider 
now the code defined by the following generator matrix G\. 



Gi 



Bn 



B. 



n — 1,1 



) 
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It is easy to see that H\ x G\ = ( Hi H 2 ■ ■ ■ Hn — 1 ). This also means that 
G\ spans a code with a minimum distance that is smaller than (no — l)d v . There- 
fore, by applying dedicated algorithms ([5] or (3H1 Volume I, Chapter 7]) searching 
for codewords of small weight, it is possible to recover matrices H±, . . . ,H no _\. 
For instance, the work factor of Stern's algorithm for searching codewords of 
weight (no — l)d v — 3 * 13 = 39 in a code of dimension p = 4032 and length 
p(n - 1) = 12096 is about 2 37 operations with (gj) = (3,43). 

Finally, we are able to compute (Hf)^ 1 x Aj = (H^) T x Q~^ for any 
1 < i < uq — 1. Inverting this matrix and applying again the second strategy 
presented in Section 14.3.21 it is possible to find the matrices H no and Q no . 

4.4. Example 

We illustrate the previously described attacks with some randomly generated poly- 
nomials s i: j(x) and Qij(x) of weight m = 7 and degree less than p = 4032 as given 
in [I] . We only put the exponents of the monomials that intervene in the expression 
of the polynomials. Recall that some coefficients Sij(x) has to be of even weight 
(actually of weight m — 1 = 6) in order to generate an invertible matrix S. We 
implemented the attack in MAGMA software [1] . The running time on a Pentium 
4 (2.80GHz) with 500 Mbytes RAM for the second strategy is 140 seconds. The 
last step that consists in recovering the secret LDPC code is performed by apply- 
ing Canteaut-Chabaud algorithm. The work factor of this operation is about 2 36 
operations. Our implementation in MAGMA software finds a codeword of weight 
(no — l)d v = 39 in about 15 minutes. 

H 1 = [213, 457, 1467, 1702, 1786, 2015, 2155, 2197, 2569, 2744, 2823, 2902, 3710] 

H 2 = [6, 626, 868, 1102, 1564, 1894, 2401, 2595, 2982, 3570, 3605, 3771, 3835] 

H s = [615, 639, 1198, 1513, 1712, 1850, 1941, 2397, 2553, 3074, 3373, 3798, 3960] 

Hi = [135, 149, 241, 735, 1265, 2075, 2869, 3111, 3218, 3625, 3760, 3785, 3969] 

5i,i = [24,274,334,2025,2574,2661,3601] 

Si,2 = [512,1177,2524,2526,2904,2968,3340] 

Si, 3 = [930,1175,1210,1459,2200,2303,2811] 

5 2 ,i = [503,1258,1632,1658,2055,2221,2764] 

52.2 = [989,1256,2568,2625,2906,3139] 

5 2 . 3 = [561,616,2499,2787,2835,3061,3865] 
5 3 ,i = [177,465,1659,1958,2795,3605] 

5 3 .2 = [419,461,1540,2262,2435,3474,3587] 

5 3 . 3 = [554,1119,1307,2018,2193,2631,3755] 

Qi = [456,578,1551,1562,1992,2919,3476] 

Q 2 = [250,268,897,1782,2127,3163,3378] 

Q 3 = [14,1132,1672,1716,2164,2723,3409] 

Qi = [443,593,2401,2615,2981,3612,3993] 
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5. Conclusion 

The idea to introduce quasi-cyclic codes and quasi-cyclic low density parity-check 
codes is motivated by practical concerns to reduce key sizes of McEliece cryptosys- 
tem. The first variant of [11] uses quasi-cyclic codes obtained from subcodes of a 
cyclic BCH code. The other variant of [1] uses quasi-cyclic low density parity-check 
codes. However, we have shown here that the cost of these two attempts at re- 
ducing key size is made at the expense of the security. Indeed, we have presented 
different structural cryptanalysis of these two variants of McEliece cryptosystem. 
The first attack is applied to the variant of [IT] and extracts the secret permuta- 
tion supposed to hide the structure of the secret codes. We show that the secret 
key recovery amounts to solve an over-constrained linear system. The second at- 
tack accomplishes a total break of pQ. In the first phase, we look for divisors of 
low weight of a given public polynomial. The last phase recovers the secret parity 
check matrix of the secret quasi-cyclic low density parity-check code by looking 
for low weight codewords in a punctured version of the secret code. An implemen- 
tation shows that the first phase can be accomplished in about 140 seconds and 
the second phase in about 15 minutes. 

However these results cannot be applied to the original McEliece's scheme 
using Goppa codes which represents up to now the only unbroken scheme. An open 
problem which would be desirable to solve is to come up with a way of reducing 
significantly the key sizes in this type of public-key cryptosystem by maintaining 
the security intact. 
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